/*
 * BehaviorParser.h
 * Profiler to classify malware into generic categories
 * @author Gregoire JACOB (gregoire.jacob@orange-ftgroup.com)
 * @date 01/12/2008
 * @version 1.0
 * Parse the behavior database stored in an XML Format
 * (relies on expat parser)
 */

#include ".\Includes\expat.h"

int depth; //Required to track the parsing depth
int endbehaviors;
#define INSIDE_DUP		1
#define INSIDE_PROP		2
#define INSIDE_RES		3	
#define INSIDE_OVINF	4
#define INSIDE_EXEPROX	5

//Object natures
#define OBJ_FILE	1
#define OBJ_FOLD	2
#define	OBJ_DRIVE	3
#define OBJ_REG		4
#define OBJ_NETW	5
#define OBJ_MAIL	6
#define VAR			7
//Object status
#define OBJ_EXIST	1
#define OBJ_CREATED	0


//Behavior memory representations
#define MAX_NB_BEHAVIORS 2000
#define NAME_MAX_LENGTH 256
struct DUPLICATION{
	int			flow; //0=transfer, 1=single-block, 2=interleaved
	char		sourcename[NAME_MAX_LENGTH];
	int			sourcenature;
	char		targetname[NAME_MAX_LENGTH];
	int			targetnature;
	int			targetstatus;
	int			transitnature;
};
struct DUPLICATION * duplicationbase;
int nbduplication;

struct PROPAGATION{
	int			flow; //0=transfer, 1=single-block, 2=interleaved
	char		sourcename[NAME_MAX_LENGTH];
	int			sourcenature;
	char		interfacename[NAME_MAX_LENGTH];
	int			interfacenature;
	int			transitnature;
};
struct PROPAGATION * propagationbase;
int nbpropagation;

struct RESIDENCY{
	int			valuenature;
	char		targetname[NAME_MAX_LENGTH];
	int			targetnature;
	int			targetstatus;
};
struct RESIDENCY * residencybase;
int nbresidency;

struct OVERINFECTION{
	int			conditional; //0=straight, 1=inverse
	char		markername[NAME_MAX_LENGTH];
	int			markernature;
};
struct OVERINFECTION * overinfectionbase;
int nboverinfection;

struct EXECUTIONPROXY{
	char		interfacename[NAME_MAX_LENGTH];
	int			interfacenature;
	char		targetname[NAME_MAX_LENGTH];
	int			targetnature;
	int			targetstatus;
};
struct EXECUTIONPROXY * executionbase;
int nbexecution;


/**
 * recoverAttribute()
 * @param the attribute value as a string
 * @return the same attribute in its binary representation
 */
int recoverNature(char * attr);
int recoverStatus(char * attr);
int recoverFlow(char * attr);
int recoverConditional(char * attr);


/**
 * parseBehaviorDatabase()
 * @param the behavior database file in XML format
 * Use EXPAT parser to recover the behavior database
 */
void parseBehaviorDatabase(FILE * bdb);
